[00:13.180 --> 00:21.240]  So, here we are. The end of day one. Our final talk. Something that I've been super excited to hear about.
[00:21.500 --> 00:27.220]  But before we get to that, again, if you haven't gotten a t-shirt, head out to the AppSecVillage website.
[00:27.220 --> 00:34.080]  You can pick up a shirt there. And let's give a big thumbs up to everybody who helped to put this on this year.
[00:34.080 --> 00:38.660]  This is fantastic. Definitely want to thank everyone.
[00:38.660 --> 00:44.580]  The next speaker, Mario Arias, is going to talk about Threat Modeling the Death Star.
[00:44.580 --> 00:48.960]  Which, what a better model can we use, right?
[00:48.960 --> 00:53.620]  Mario is a software developer with 10 years of experience in four different countries.
[00:53.620 --> 00:58.960]  His expertise involves security, DevOps, and Agile practices.
[00:58.960 --> 01:06.980]  Mario helps teams to deliver value quickly while keeping applications, infrastructure, and data safe.
[01:06.980 --> 01:10.620]  With that, let's welcome Mario to the stage.
[01:10.980 --> 01:15.220]  Hello, everyone. Welcome to my talk, Threat Modeling the Death Star.
[01:15.380 --> 01:19.320]  My name is Mario. I have been a software developer for over 10 years.
[01:19.420 --> 01:24.200]  And recently, I have moved to be a full-time security engineer two or three years ago.
[01:24.700 --> 01:28.540]  And today, nowadays, I'm a software engineer at Canva.
[01:29.540 --> 01:33.020]  Today, I want to talk about Threat Modeling.
[01:33.020 --> 01:39.660]  Threat Modeling is a subject that is very important and is very dear to my heart for many different reasons.
[01:39.660 --> 01:47.100]  But the main reason is a reason that was shown on the State of DevOps report from last year.
[01:47.280 --> 01:52.920]  So, the State of DevOps report is a report done by Puppet and different companies
[01:52.920 --> 02:01.420]  where they look at different companies and they try to get information about how efficient they are in the DevOps world.
[02:01.420 --> 02:04.720]  And one of the things they look at is security.
[02:05.340 --> 02:09.600]  And they have, like, looking at all different companies on all different sizes.
[02:09.920 --> 02:17.340]  The most effective way to improve your security posture is to do collaborative Threat Models
[02:17.340 --> 02:20.540]  with the security team and the development teams.
[02:20.540 --> 02:24.000]  That's really, really important to improve your security posture.
[02:24.000 --> 02:28.480]  And that's what I have seen in my experience as well as a security engineer.
[02:28.480 --> 02:36.600]  Every time I introduce Threat Modeling to a company or to a team, I could see the benefits of it very quickly.
[02:36.600 --> 02:39.280]  Like, the improvement of the security posture.
[02:40.520 --> 02:45.040]  But before we're going to jump in and go into more advanced details about Threat Modeling,
[02:45.040 --> 02:48.440]  I want to talk a little bit about what the definition is, right?
[02:48.800 --> 02:53.200]  And if you look, if you try to Google it, you're going to see, like, many different definitions.
[02:53.200 --> 02:56.020]  But this one I like the best.
[02:56.560 --> 03:02.920]  It's that Threat Modeling is a process to identify and enumerate threats.
[03:03.040 --> 03:06.860]  That's what Threat Modeling is at the end of the day, right?
[03:07.240 --> 03:10.840]  And that makes a lot of sense for security people.
[03:10.840 --> 03:15.980]  But then when you try to go to non-security people or non-Threat Modeling nerds,
[03:15.980 --> 03:18.540]  they don't get very impressed, right?
[03:18.540 --> 03:23.080]  It's a very dry concept. It's a very abstract concept.
[03:23.080 --> 03:31.860]  And it's really hard to engage people who are not from security to actually understand and get involved with Threat Modeling.
[03:32.500 --> 03:34.760]  And that's a hard situation, isn't it?
[03:34.760 --> 03:39.560]  Like, where you have Threat Modeling brings so much benefits to the organization.
[03:39.900 --> 03:43.780]  But on the other hand, it's really hard to get other people to do it.
[03:44.040 --> 03:46.640]  And that was my position a few years ago.
[03:46.640 --> 03:50.220]  And I tried to introduce Threat Modeling in a company.
[03:50.360 --> 03:54.720]  And I really knew that Threat Modeling is quite important.
[03:55.320 --> 03:59.040]  But I also knew that it's not very engaging at all.
[03:59.040 --> 04:03.120]  So I was trying to find a balance where I could reap the benefits of Threat Modeling
[04:03.640 --> 04:09.740]  while making sure people were motivated enough to engage and participate in the process.
[04:09.740 --> 04:14.520]  It's not only one checkbox that you need to do at the end of the day, right?
[04:16.040 --> 04:19.960]  Anyway, then I came up with a list of requirements.
[04:20.460 --> 04:22.040]  What the requirements are?
[04:22.040 --> 04:27.080]  The requirements are something like, I felt, if it wasn't there for the Threat Modeling process,
[04:27.080 --> 04:28.660]  it wouldn't be very successful.
[04:28.660 --> 04:33.400]  I wouldn't think that actually it's something that's valuable to the company.
[04:34.460 --> 04:37.860]  And I came up with three different requirements, right?
[04:37.940 --> 04:42.280]  One is, it needs to be engaging. Threat Modeling definitely needs to be engaging.
[04:42.280 --> 04:45.520]  It shouldn't be another boring meeting people need to attend.
[04:45.520 --> 04:49.340]  It should be something more fun and more engaging,
[04:49.340 --> 04:55.820]  so people can go and have a good time, at least in the Threat Modeling session.
[04:55.920 --> 04:58.020]  It needs to be highly collaborative.
[04:58.240 --> 05:03.140]  Again, the magic of the Threat Modeling happens when you get the security team doing it,
[05:03.140 --> 05:06.660]  and the development team is doing it as well, together.
[05:06.660 --> 05:10.240]  And collaborating gets the process done.
[05:10.240 --> 05:13.440]  It's not like a process for me, it was like a no-go,
[05:13.600 --> 05:16.920]  a process where the security team did it behind the scenes,
[05:16.920 --> 05:19.740]  and they just returned a report to the development team.
[05:19.740 --> 05:22.140]  It definitely wasn't something I wanted to do.
[05:23.060 --> 05:26.040]  And finally, it needs to be valuable for everyone.
[05:26.220 --> 05:30.400]  And it sounds a bit silly, but it's very easy for people to think,
[05:30.400 --> 05:34.860]  like, I'm doing this Threat Modeling just to make sure the security team is happy,
[05:34.860 --> 05:36.220]  and then I can do my stuff.
[05:36.920 --> 05:39.700]  That's not the idea that I want to do for the Threat Modeling.
[05:39.700 --> 05:43.840]  I want something that if people are participating, collaborating,
[05:43.840 --> 05:45.680]  they could get something out of it.
[05:45.700 --> 05:48.800]  They could understand the process, and see the value of it,
[05:48.800 --> 05:50.220]  and then do it again and again.
[05:50.220 --> 05:54.140]  Not only because the security team wants to have the software more secure,
[05:54.140 --> 05:57.960]  because they also see value, and they also want to get their software more secure.
[05:59.720 --> 06:03.200]  And then I look at very different methodologies.
[06:03.200 --> 06:06.980]  I look at Stride, I look at Pasta, I look at many others.
[06:06.980 --> 06:11.680]  But the software methodology that I like the most is Attack Trace.
[06:11.680 --> 06:15.160]  I think that resonates well with me, my experience,
[06:15.160 --> 06:19.920]  and resonates very well with the teams and companies I have worked for,
[06:19.920 --> 06:21.760]  where I introduced that.
[06:22.120 --> 06:26.700]  I really like the way, because it's very simple, and it's very easy to do it.
[06:26.980 --> 06:30.580]  That doesn't mean it's the best methodology for everyone,
[06:30.580 --> 06:35.100]  like, different people have different styles, different companies have different cultures.
[06:35.100 --> 06:37.940]  You might find something different for yourself.
[06:38.060 --> 06:43.100]  But for me, when I saw Attack Trace, I really understood the concept.
[06:43.100 --> 06:46.640]  I really could see that being rolled out to the company.
[06:47.340 --> 06:50.460]  But before I actually tried to do the rollout for the company,
[06:50.460 --> 06:52.140]  I did a pilot first.
[06:52.200 --> 06:54.480]  I chose a few selected teams.
[06:54.480 --> 06:56.900]  They were doing some interesting work,
[06:56.900 --> 07:00.820]  and they were trying to model the aggregate value at that phase of the work.
[07:01.400 --> 07:04.760]  And with that, I talked to them, I did some pilots,
[07:04.760 --> 07:06.520]  I did a few training models,
[07:06.520 --> 07:08.260]  and then I did a survey at the end of it,
[07:08.260 --> 07:11.060]  to see what people think about the process.
[07:11.060 --> 07:13.140]  And I really asked them to be very honest,
[07:13.140 --> 07:15.380]  because if it wasn't working for them,
[07:15.380 --> 07:18.160]  chances are it wouldn't work for other people in the company,
[07:18.160 --> 07:19.760]  so it wouldn't be successful,
[07:19.760 --> 07:22.080]  and we should just start from scratching in,
[07:22.080 --> 07:24.180]  rather than try to roll out that process.
[07:25.040 --> 07:29.280]  And the numbers I got were very positive, let's say this.
[07:29.280 --> 07:34.700]  80% of developers found it useful, they found it valuable,
[07:34.700 --> 07:36.960]  and they would participate again.
[07:36.980 --> 07:41.100]  And for me, the participation again was the ultimate metric.
[07:41.100 --> 07:45.620]  If they would participate again, it's because I hit the three requirements.
[07:45.620 --> 07:50.640]  They saw value in it, it was collaborative, and it was engaging.
[07:50.640 --> 07:53.600]  And they saw value, they actually saw value for them,
[07:53.600 --> 07:55.240]  and they wanted to do it again.
[07:55.360 --> 07:58.380]  So that made me feel confident,
[07:58.380 --> 08:01.180]  and then I did roll out that to the rest of the company.
[08:01.600 --> 08:03.320]  And I'm going to talk about that,
[08:03.320 --> 08:05.220]  what's the process I did roll out,
[08:05.220 --> 08:08.380]  but I want to use Star Wars for that.
[08:08.380 --> 08:11.240]  Because, again, thread modeling is very dry,
[08:11.240 --> 08:14.380]  it's a very abstract concept.
[08:14.580 --> 08:19.460]  So I always try to get different ways to make thread modeling a bit more engaging.
[08:19.780 --> 08:23.100]  And Star Wars is one of the funniest ways that I have seen so far.
[08:23.660 --> 08:26.020]  So let's start with Star Wars.
[08:27.120 --> 08:33.480]  And that story starts with yourself, in the audience, watching this at this point,
[08:34.280 --> 08:38.880]  where you are the new CSO of the Galactic Empire,
[08:38.880 --> 08:41.380]  Chief Security Officer.
[08:41.460 --> 08:42.660]  Well done.
[08:42.660 --> 08:45.360]  You started as a low-level Stormtrooper,
[08:45.360 --> 08:49.120]  fighting the trenches against the rebellion,
[08:49.120 --> 08:50.860]  and you made all your way to the top.
[08:50.860 --> 08:52.940]  Now you're a Chief Security Officer.
[08:52.940 --> 08:54.300]  Well, well done.
[08:55.040 --> 08:58.620]  But not everything is perfect, isn't it?
[08:59.600 --> 09:02.580]  That guy now is your new boss.
[09:03.280 --> 09:05.300]  Yeah, and...
[09:05.880 --> 09:08.340]  How can I say this?
[09:08.580 --> 09:12.620]  He has a very different style of leadership.
[09:12.620 --> 09:15.480]  This whole thing you learned about today,
[09:15.480 --> 09:18.520]  blameless culture or servant leadership,
[09:18.820 --> 09:21.260]  is definitely not something he believes in.
[09:21.260 --> 09:24.540]  He's more like an old-school kind of guy.
[09:24.540 --> 09:29.440]  He really thinks high accountability is the way moving forward.
[09:29.540 --> 09:30.560]  But that's okay.
[09:30.560 --> 09:35.720]  Everybody had some problematic boss at some point in their careers.
[09:35.720 --> 09:38.460]  I'm pretty sure you can work around the guy.
[09:40.540 --> 09:43.220]  And you, as being a CSO,
[09:43.220 --> 09:46.780]  you start to look at the crowd use of the Empire.
[09:46.780 --> 09:48.720]  What's the most important assets?
[09:48.720 --> 09:52.040]  And what do you need to protect first before everything else?
[09:52.040 --> 09:55.500]  And the answer was very easy and very big as well.
[09:55.500 --> 09:57.860]  The answer was the Death Star.
[09:58.200 --> 10:01.460]  It's the most expensive project in the whole Galactic Empire.
[10:01.460 --> 10:04.760]  It costs around 2 trillion credits.
[10:05.000 --> 10:07.560]  It's been 20 years in the making.
[10:07.560 --> 10:10.280]  It's the biggest weapon of the galaxy.
[10:10.280 --> 10:15.400]  And a major strategic asset for the Galactic Empire.
[10:15.400 --> 10:19.940]  So definitely, that's the asset you need to focus on.
[10:20.240 --> 10:25.540]  However, it's a project that's been like any waterfall project.
[10:25.820 --> 10:29.140]  They are like over budget and overdue.
[10:29.140 --> 10:30.840]  And the business is not happy with it.
[10:30.840 --> 10:33.920]  And the business would like to release that as quickly as they can to production.
[10:33.920 --> 10:38.900]  It's been delayed, delayed, delayed for over too many years.
[10:38.900 --> 10:42.700]  So your boss and the Emperor, they're not very happy.
[10:43.100 --> 10:44.080]  But that's fine.
[10:44.080 --> 10:45.240]  You can work with that.
[10:45.240 --> 10:46.700]  You're a professional, right?
[10:48.520 --> 10:52.360]  Okay, so you've identified already what you need to protect.
[10:52.360 --> 10:53.300]  That's the Death Star.
[10:53.300 --> 10:54.780]  It's a good first step.
[10:54.960 --> 10:58.920]  But you need to have some sort of understanding what kind of adversaries are going to happen.
[10:58.920 --> 11:01.460]  Like what kind of attackers are going to happen.
[11:01.820 --> 11:05.460]  And you use a simple exercise called evil personas.
[11:05.920 --> 11:10.480]  The Galactic Empire has been attacked for too many years already.
[11:10.480 --> 11:16.320]  So you kind of know exactly what kind of attackers the Empire can have.
[11:17.080 --> 11:21.920]  So let's talk about it because we need to protect the Death Star against them.
[11:23.020 --> 11:25.720]  And the fourth one is very interesting.
[11:25.720 --> 11:27.340]  It's Jar Jar Binks, right?
[11:27.460 --> 11:35.380]  Jar Jar Binks just represents a class of attackers where they don't know very well what they are doing.
[11:35.380 --> 11:37.860]  They don't have too many resources.
[11:37.880 --> 11:39.500]  They're also very competitive.
[11:39.500 --> 11:45.420]  So they keep trying to show their colleagues how good they are.
[11:46.140 --> 11:48.580]  Sometimes it can be annoying for the Empire.
[11:48.620 --> 11:53.400]  But honestly, when it comes to the Death Star, they are not very important personas.
[11:53.400 --> 12:01.840]  So although it's good to list them, but it's not very good for your modeling for the Death Star.
[12:01.840 --> 12:03.680]  So we'll just move to the next persona.
[12:04.820 --> 12:09.820]  Now we're going to talk about Han Solo, right?
[12:09.860 --> 12:16.340]  And Han Solo is a very interesting persona because Han Solo has a lot more expertise.
[12:16.800 --> 12:22.140]  Han Solo knows what they're doing like any other Bolt Hunters.
[12:22.140 --> 12:23.620]  They know what they're doing.
[12:23.700 --> 12:25.640]  They have more resources as well.
[12:25.640 --> 12:27.280]  They have their own ship.
[12:27.280 --> 12:30.960]  They might have different weapons.
[12:30.960 --> 12:35.320]  But then again, they are there for the money and they don't organize themselves very well.
[12:35.320 --> 12:37.640]  Bolt Hunters are very competitive as well.
[12:37.640 --> 12:41.640]  They keep trying to go to the easy prey and get some easy money.
[12:41.640 --> 12:44.620]  But they don't try anything too big or anything like that.
[12:45.040 --> 12:48.660]  When it comes to the Death Star, it can be annoying.
[12:49.160 --> 12:54.720]  But on the other hand, they're probably not a big threat as well.
[12:56.240 --> 12:58.660]  But these people...
[12:59.340 --> 13:01.680]  These people can be problematic.
[13:02.460 --> 13:03.660]  Jedis.
[13:03.920 --> 13:07.740]  First, their expertise is huge.
[13:07.740 --> 13:11.960]  Well, not only because they have been training for many, many years.
[13:11.960 --> 13:15.460]  But because they have magic in their favor.
[13:16.280 --> 13:18.660]  How can you defend against magic?
[13:18.660 --> 13:22.420]  If you have a guard and they're like, you didn't see me or whatever.
[13:22.420 --> 13:24.800]  It's really, really hard to defend against them.
[13:25.020 --> 13:30.760]  Lucky you, since your boss managed to kill most of them years and years ago.
[13:30.760 --> 13:36.820]  And the ones that are out there, they're probably hidden and they're not much of a threat anyway.
[13:37.260 --> 13:42.700]  So although you list them as a threat, because they're very unlikely to show up.
[13:42.760 --> 13:45.840]  And it's very hard to protect against these people.
[13:45.840 --> 13:47.880]  You also don't focus them very much.
[13:47.880 --> 13:53.200]  You trust that your boss did a very good job and eliminated them.
[13:54.640 --> 13:58.880]  Then we start talking about more interesting personas when it comes to the Death Star.
[13:59.080 --> 14:02.260]  And here we talk about insider threats.
[14:02.360 --> 14:07.020]  But honestly, insider threats should be many different personas.
[14:07.020 --> 14:11.520]  Because the Empire has many different levels, ranking levels, right?
[14:11.920 --> 14:15.780]  A Stormtrooper that's an insider threat is not as dangerous.
[14:15.780 --> 14:20.140]  Whereas a Sea Lab executive like yourself is becoming an insider threat.
[14:21.200 --> 14:27.060]  Regardless of their position though, they have been trained by the Galactic Empire, right?
[14:27.400 --> 14:32.220]  So they have a strong training and they know what they need to do.
[14:32.220 --> 14:34.320]  They are very good at what they do.
[14:35.220 --> 14:37.280]  They might have, again, resources.
[14:37.280 --> 14:39.400]  It's a bit of an interesting thing.
[14:39.400 --> 14:41.940]  If you're a Stormtrooper, you don't have much money.
[14:41.940 --> 14:47.360]  Whereas a Sea Lab executive like yourself has lots of money, lots of resources.
[14:47.540 --> 14:51.780]  But regardless, again, of their position, they organize themselves pretty well.
[14:52.640 --> 14:55.980]  The Galactic Empire is a military organization.
[14:56.140 --> 14:58.620]  So they organize all the insider threats.
[14:58.880 --> 15:00.860]  They can join terrorist groups.
[15:00.860 --> 15:02.880]  They can form their own terrorist groups.
[15:03.120 --> 15:06.520]  So they can't become a problem because they organize themselves very well.
[15:06.520 --> 15:09.520]  Even if you're at a low level Stormtrooper.
[15:10.350 --> 15:18.780]  But the most important persona for the Death Star is Princess Leia, right?
[15:18.780 --> 15:23.320]  Princess Leia represents the Rebellion.
[15:23.660 --> 15:31.960]  The Rebellion, as you all well know, is a terrorist organization trying to bring trouble to the Galactic Empire.
[15:31.960 --> 15:35.200]  Whereas the Empire is just trying to make the galaxy stable, you know?
[15:35.200 --> 15:37.360]  A bit of order here and there.
[15:39.060 --> 15:43.220]  But although they are a terrorist organization, they have lots of expertise.
[15:43.220 --> 15:46.520]  They have pilots, they have diplomats, they have spies.
[15:46.540 --> 15:47.840]  And they are very good.
[15:47.840 --> 15:50.980]  They can sometimes go toe-to-toe with the Galactic Empire.
[15:50.980 --> 15:53.360]  So they do have a lot of expertise.
[15:54.140 --> 15:59.140]  Even for a terrorist organization, they have lots of resources.
[15:59.780 --> 16:02.540]  You're not quite sure where they get the money from.
[16:02.540 --> 16:05.080]  But they have lots of money.
[16:05.080 --> 16:06.660]  They have a small army.
[16:06.660 --> 16:08.120]  They have ships.
[16:08.560 --> 16:10.760]  They have bases across the galaxy.
[16:10.760 --> 16:13.400]  So they have lots of resources.
[16:13.940 --> 16:18.400]  And for a terrorist organization, they organize themselves pretty well.
[16:18.700 --> 16:24.060]  They have become a major pain for the Galactic Empire in the last few years.
[16:24.100 --> 16:30.380]  Sometimes shut down Empire operations or shut down entire armies.
[16:30.380 --> 16:35.240]  So definitely Princess Leia is your most important persona.
[16:35.500 --> 16:37.220]  And the one you need to look after.
[16:38.140 --> 16:41.240]  Cool. So that's the summary of your personas, right?
[16:41.240 --> 16:46.480]  From Skipped Kitty, going through Bounty Hunter, Inside the Threat,
[16:46.480 --> 16:50.120]  Jedis, and even Princess Leia, the Rebellion.
[16:51.400 --> 16:54.340]  Now going back a little bit to the real world.
[16:54.820 --> 16:59.140]  Personas, if you want to do that in your own organization,
[16:59.140 --> 17:02.220]  for a large organization, it shouldn't be very hard for you
[17:02.220 --> 17:05.840]  because your organization probably has been attacked before.
[17:05.940 --> 17:10.720]  So you just talk to the security team in your company,
[17:10.720 --> 17:12.960]  the ones who look more incident response.
[17:12.960 --> 17:16.440]  They might have an idea of the kind of attackers you have.
[17:16.580 --> 17:20.080]  If you, on the other hand, are working for a smaller company,
[17:20.080 --> 17:27.980]  you might try to look at other websites and find places where they define generic attackers.
[17:27.980 --> 17:31.260]  You start with them, and then as you grow, as you scale,
[17:31.260 --> 17:35.560]  and then have real attacks, you can tweak your personas as you go.
[17:35.560 --> 17:40.080]  But it's important to have a kind of understanding of what the attackers are
[17:40.080 --> 17:45.360]  and not keep only on the abstract level of an imaginable attacker.
[17:46.920 --> 17:50.420]  Cool. So now you have the asset that's a Death Star.
[17:50.420 --> 17:55.380]  You have the personas. So now it's time to build the attack tree.
[17:55.920 --> 18:00.380]  And the first thing you need to do is get the right people in the room.
[18:00.380 --> 18:06.180]  I remember when my first slide was talking about how TreadMoney should be a collaborative exercise
[18:06.180 --> 18:08.880]  and everybody should participate together.
[18:09.320 --> 18:11.420]  So that's what you try to do.
[18:11.420 --> 18:16.560]  You try to get everybody in the room so you could run the exercise.
[18:16.640 --> 18:20.480]  You got the Death Star designers and architects.
[18:20.480 --> 18:22.080]  You got your own team.
[18:22.080 --> 18:25.220]  You took so much trouble to go through that.
[18:25.220 --> 18:29.660]  Because imagine, it's really hard already to go into the time zones
[18:29.660 --> 18:33.580]  and book everybody at the same time when you're across the galaxy
[18:33.580 --> 18:35.740]  where time zones are not even a thing.
[18:36.020 --> 18:39.140]  But somehow you managed to put everyone in the room.
[18:39.140 --> 18:46.940]  You even got Darth Vader to do an introduction for the meeting,
[18:46.940 --> 18:52.340]  to give some motivation for people, you know, like the kind of C-level introduction.
[18:53.480 --> 18:57.020]  And then you start to run the attack tree session.
[18:57.840 --> 19:01.540]  And the attack tree session starts with the root node.
[19:01.900 --> 19:04.600]  It's kind of the attacker role, right?
[19:04.600 --> 19:07.400]  What the attacker wants to do against your asset.
[19:07.660 --> 19:10.780]  And you could look at very different kind of attacks.
[19:10.780 --> 19:16.980]  For example, if you look at Han Solo, a bounty hunter.
[19:17.240 --> 19:21.060]  When he looks at the Death Star, he's probably trying to make some money out of it.
[19:21.080 --> 19:23.940]  He might steal some weapons, he might steal food, I don't know.
[19:23.940 --> 19:26.340]  He might steal a lot of stuff.
[19:26.740 --> 19:31.600]  But then you need to look and focus on what's most damaging for the Galactic Empire.
[19:31.740 --> 19:35.780]  Even if Han Solo manages to steal a bunch of weapons or a bunch of food,
[19:36.620 --> 19:39.100]  that really doesn't impact very much the Galactic Empire.
[19:39.100 --> 19:43.400]  It's annoying for sure, but it's not much of a big problem.
[19:43.500 --> 19:47.340]  So you come up with two different attacker roles.
[19:48.440 --> 19:55.100]  If the attacker manages to accomplish this, it can be really damaging for the Galactic Empire.
[19:55.100 --> 19:57.520]  So you're going to focus on that one.
[19:58.160 --> 20:01.660]  And there are two kinds of goals that you need to look at.
[20:01.680 --> 20:06.580]  Take control of the Death Star or take the Death Star out of action.
[20:06.580 --> 20:11.240]  And taking control of the Death Star would be really, really bad.
[20:11.240 --> 20:15.800]  Imagine going to 20 years of project, release that to production,
[20:15.800 --> 20:21.160]  just for some kind of attacker to get that weapon from you and use against the Empire.
[20:21.160 --> 20:22.700]  That would be terrible.
[20:23.040 --> 20:28.120]  But as well, it would be very unlikely for the kind of attackers you have,
[20:28.120 --> 20:35.880]  because none of them have the resources to actually manage a ship like the Death Star.
[20:35.880 --> 20:42.040]  You need to have like one million crew inside the Death Star to manage the whole thing.
[20:42.040 --> 20:47.800]  You need to have a very specific expertise and there's lots of proprietary technology.
[20:47.900 --> 20:54.620]  So even Princess Leia wouldn't be able to take the Death Star out of the Galactic Empire and use it against the Empire.
[20:54.980 --> 21:00.560]  But they definitely, definitely can take the Death Star out of action.
[21:00.560 --> 21:03.120]  That's probably what would be the first goal.
[21:03.120 --> 21:09.420]  As soon as they know about the Death Star, they try to take it out of action and take this advantage,
[21:09.420 --> 21:12.960]  the Galactic Empire's beauty, out of the game.
[21:12.960 --> 21:15.000]  So we're going to focus on that.
[21:15.000 --> 21:18.840]  And we're also going to focus on Princess Leia as a persona,
[21:18.840 --> 21:23.260]  because she's probably the one who can actually accomplish this.
[21:24.820 --> 21:28.340]  So we chose to take the Death Star out of action.
[21:28.340 --> 21:33.720]  Now we need to think about how would you try to do this, right?
[21:34.260 --> 21:37.760]  How would you accomplish taking the Death Star out of action?
[21:37.760 --> 21:41.440]  So that's where the collaboration and the magic happens.
[21:41.440 --> 21:45.620]  The security team throws some ideas, the developers throw other ideas,
[21:45.620 --> 21:50.620]  and then you try to figure out which one of these nodes are more likely to happen.
[21:50.620 --> 21:57.220]  And when you've got everybody in the room, there are two kinds of nodes that show up.
[21:57.220 --> 22:01.340]  They're really important, and then they're more likely to happen.
[22:01.600 --> 22:04.420]  One is disable the Death Star.
[22:04.600 --> 22:10.760]  I'm not talking about a 15-minute disablement or maybe turn off the power for 15 minutes or something like that.
[22:10.760 --> 22:16.660]  I'm talking about some sort of disablement that is so dangerous, it's so problematic,
[22:16.660 --> 22:20.100]  that probably the Death Star is not usable anymore.
[22:20.100 --> 22:25.540]  You need to rebuild the Death Star from scratch so you can re-enable again.
[22:25.600 --> 22:30.620]  So it's kind of a disablement, where it's probably better to just create another one rather than fix it.
[22:30.900 --> 22:33.860]  Same like you break your iPhone screen, for example.
[22:33.860 --> 22:36.900]  It's so expensive, they're most likely to just buy a new one.
[22:37.800 --> 22:39.860]  And the other one is destroy the Death Star.
[22:39.860 --> 22:44.420]  Literally destroy the whole thing, exploding PCs or whatever.
[22:44.720 --> 22:48.540]  So that's the two main ways you can take the Death Star out of action.
[22:49.900 --> 22:53.360]  So let's focus a little bit on disable the Death Star.
[22:53.680 --> 22:58.060]  To disable the Death Star, you'd have two kinds of nodes as well.
[22:58.060 --> 23:00.300]  Two different ways to do this.
[23:00.300 --> 23:05.820]  One is what we call a system failure and the other one is a mechanical failure.
[23:05.820 --> 23:11.580]  And a system failure is mostly like, for example, you disable the navigation system,
[23:11.580 --> 23:15.920]  you disable the heating system, you disable the engine system.
[23:15.920 --> 23:21.580]  You disable in such a way these core critical systems that they might cause a chain reaction
[23:21.580 --> 23:25.040]  in the other systems and shut down the Death Star.
[23:25.080 --> 23:28.220]  Or it can cause some sort of mechanical failure.
[23:28.220 --> 23:31.220]  And then it can cause some problem on the hardware itself.
[23:31.480 --> 23:36.440]  And the hardware can cause, again, another kind of chain reaction
[23:36.440 --> 23:39.440]  that's going to cause the whole Death Star to shut down.
[23:40.660 --> 23:43.800]  So how would you accomplish these things?
[23:44.400 --> 23:49.480]  And then for system failure, you need to compromise a critical IT system.
[23:49.700 --> 23:54.280]  And for the mechanical failure, you need to overload the critical infrastructure.
[23:54.480 --> 23:56.540]  So let's elaborate that a little bit.
[23:56.800 --> 24:01.460]  So there are many systems running inside the Death Star, right?
[24:01.520 --> 24:05.030]  And they manage some sort of critical infrastructure.
[24:05.360 --> 24:09.140]  So if you have access, if an attacker has access to this kind of systems,
[24:09.140 --> 24:10.820]  they can do some damage.
[24:10.820 --> 24:16.280]  But usually the system protects against problematic parameters,
[24:16.280 --> 24:19.440]  problematic variables, or any dangerous kind of action.
[24:19.820 --> 24:22.660]  So what you want to do is, what an attacker needs to do,
[24:22.660 --> 24:24.460]  is not only have access to these systems,
[24:24.460 --> 24:28.700]  they need to compromise so they can bypass these kind of protections
[24:29.260 --> 24:31.220]  to cause a system failure.
[24:31.900 --> 24:36.400]  When it comes to mechanical failure, you might overload some critical infrastructure.
[24:36.400 --> 24:39.100]  So you might overload the heating system somehow.
[24:39.100 --> 24:45.600]  And to overload the heating system, you might cause all the hardware to have problems, right?
[24:45.600 --> 24:49.540]  Or you can cause the Death Star to be very uncomfortable to stay with,
[24:49.540 --> 24:52.280]  and people need to leave the ship.
[24:52.440 --> 24:54.580]  So there are different ways you can do that.
[24:56.540 --> 25:00.460]  But the interesting thing is, regardless if you're trying to compromise
[25:00.460 --> 25:04.940]  the critical IT system or overload the critical infrastructure,
[25:04.940 --> 25:08.220]  you need to have access to the internal network.
[25:08.220 --> 25:14.520]  That's no other way. So either to have access to sensitive areas of the Death Star,
[25:14.520 --> 25:18.300]  you need to have this kind of action, you need to have this kind of privilege,
[25:18.300 --> 25:21.500]  or to compromise the critical IT system, you need to be inside the network
[25:21.500 --> 25:23.380]  so you can interact with the system.
[25:24.680 --> 25:29.580]  And it's internal network, because if you think about it,
[25:29.580 --> 25:31.080]  Death Star is just a weapon, right?
[25:31.080 --> 25:34.720]  It's not like they make their system public so people can access it.
[25:34.720 --> 25:37.440]  They are not a service, right? They are a weapon.
[25:37.440 --> 25:41.780]  And as a weapon, they hide everything as much as they can.
[25:42.340 --> 25:46.920]  So in order to get privilege access, you need to be inside the internal network.
[25:47.040 --> 25:51.160]  Anything that's public is probably not very important
[25:51.160 --> 25:55.060]  and segregated from the other internal network.
[25:55.920 --> 25:58.440]  And in order to get access to the internal network,
[25:58.440 --> 26:01.500]  you need to be inside the Death Star. There is no other way.
[26:02.020 --> 26:04.580]  And then again, Death Star is a weapon,
[26:04.580 --> 26:08.820]  and they don't expose systems to the outside world.
[26:08.840 --> 26:11.560]  And they segregated that stuff very well.
[26:11.560 --> 26:14.100]  So you need to be inside the Death Star.
[26:14.100 --> 26:19.440]  So maybe you can go to a server room or steal some kind of employee badge
[26:19.440 --> 26:21.340]  or biometrics or whatever.
[26:21.340 --> 26:24.320]  So in order to get your privilege access.
[26:25.340 --> 26:29.040]  The interesting thing is, we could go in more detail
[26:29.040 --> 26:32.940]  and like, how would you get physical access to the Death Star?
[26:32.940 --> 26:37.540]  But as I said before, the Death Star has one million crew, right?
[26:37.540 --> 26:41.000]  Like, it's very likely that an attacker like Princess Leia
[26:41.000 --> 26:43.300]  is going to be able to do that.
[26:43.520 --> 26:46.760]  Even if that's not true, another attacker that we have
[26:46.760 --> 26:48.980]  is an internal attacker.
[26:49.000 --> 26:53.540]  So it might be a person who actually has rights to be inside the Death Star
[26:53.540 --> 26:56.740]  and inside the Death Star to try to do some malicious.
[26:57.020 --> 27:00.020]  So we're going to stop this part of the attack tree here
[27:00.820 --> 27:03.580]  and go to the next step.
[27:04.140 --> 27:06.180]  So that's all we have so far.
[27:06.180 --> 27:09.680]  So we have like, take the Death Star out of action.
[27:09.740 --> 27:11.680]  You have disabled the Death Star
[27:11.680 --> 27:15.800]  and then you have system failure and mechanical failure
[27:15.800 --> 27:17.240]  and so on and so forth.
[27:17.620 --> 27:21.400]  But this is only one part of the attack trees, right?
[27:21.400 --> 27:26.020]  We have the other one where you want to destroy the Death Star.
[27:26.300 --> 27:27.580]  So how would you do that?
[27:27.580 --> 27:29.460]  How would you destroy the Death Star?
[27:29.760 --> 27:32.160]  And there are basically two ways to do this.
[27:32.200 --> 27:35.520]  One is a big military attack.
[27:35.580 --> 27:37.360]  The Death Star is a big weapon.
[27:37.360 --> 27:38.780]  It's a huge weapon.
[27:39.180 --> 27:41.240]  It can cause a lot of damage.
[27:41.440 --> 27:46.980]  But also, it's still vulnerable to kind of military attacks.
[27:47.340 --> 27:49.480]  So yeah, that's a way to do it.
[27:50.180 --> 27:54.520]  And there is another way that you figure out on the training modeling.
[27:54.520 --> 27:58.060]  And you are so proud that you actually got that.
[27:58.520 --> 28:01.880]  There is a reactor inside the Death Star.
[28:02.120 --> 28:04.340]  In the very core of the Death Star, there is a reactor
[28:04.340 --> 28:09.760]  which controls everything and provides energy for the whole ship.
[28:10.120 --> 28:13.260]  But the reactor is very, very hot.
[28:13.440 --> 28:18.740]  So it needs to send this heat to the space.
[28:18.820 --> 28:21.280]  And the way to do that, they build ventilation tunnels
[28:21.280 --> 28:27.040]  that go from the core straight to the top of the ship.
[28:27.060 --> 28:29.580]  So then the heat can dissipate.
[28:29.880 --> 28:32.040]  But this is also a vulnerability.
[28:32.080 --> 28:36.600]  Because now we have a straight path to the core.
[28:36.600 --> 28:38.700]  And the core is very unstable.
[28:38.700 --> 28:42.060]  So anything that goes there, any kind of explosion,
[28:42.060 --> 28:45.360]  can cause a chain reaction that can explode the whole Death Star.
[28:45.500 --> 28:50.160]  It's a really big problem in case an attacker can exploit this.
[28:50.980 --> 28:54.580]  But there are some sort of protections, let's say.
[28:54.940 --> 28:58.120]  The first one is obscurity.
[28:58.820 --> 29:00.840]  This kind of port is not very...
[29:00.840 --> 29:03.900]  You need to know where the port is, for one.
[29:04.000 --> 29:05.100]  The Death Star is huge.
[29:05.100 --> 29:09.600]  There is no easy way for an attacker from outside to know where they should hit.
[29:09.900 --> 29:12.680]  And second, the port is very small.
[29:12.680 --> 29:14.140]  It's only two meters wide.
[29:14.140 --> 29:20.860]  So it's really hard for any kind of pilot to send a bomb over there.
[29:21.340 --> 29:25.120]  So it's not like it's very likely that to happen.
[29:25.120 --> 29:27.300]  But still, not really great.
[29:28.400 --> 29:33.000]  So in order to destroy the reactor, you need to shoot the thermal port.
[29:33.500 --> 29:38.300]  And to shoot the thermal port, you need to know where the port is, right?
[29:38.580 --> 29:41.160]  So you need to obtain the Death Star plans.
[29:41.160 --> 29:47.500]  You need to somehow know what the port is so you can go there and shoot it.
[29:49.080 --> 29:52.840]  And that's the second piece of the attack tree.
[29:53.180 --> 29:58.820]  So together with the first part of the attack tree and the second part of the attack tree,
[29:58.820 --> 30:04.040]  that's what we found out about the main problems with the Death Star design
[30:04.040 --> 30:06.400]  or the procedures we have at the moment.
[30:07.620 --> 30:10.300]  And these are the main goals
[30:10.300 --> 30:12.380]  the attacker can try to accomplish.
[30:12.380 --> 30:14.720]  So if you get access to privilege,
[30:14.720 --> 30:16.620]  privilege access to network,
[30:16.620 --> 30:18.080]  that's going to be a problem.
[30:18.080 --> 30:24.100]  They have different ways where they can accomplish the disabling of the Death Star.
[30:24.420 --> 30:26.840]  A military attack, really huge,
[30:26.840 --> 30:30.020]  but something that a rebellion can pull out.
[30:30.020 --> 30:31.840]  So if you're not prepared,
[30:31.840 --> 30:35.900]  the rebellion can try to destroy the Death Star by a huge military attack.
[30:36.120 --> 30:38.380]  And finally, the thermal port.
[30:38.380 --> 30:43.120]  If somehow an attacker can shoot the thermal port,
[30:43.120 --> 30:44.240]  they cause a chain reaction
[30:44.240 --> 30:48.120]  and it can destroy the reactor and the Death Star altogether.
[30:48.640 --> 30:49.400]  That's good.
[30:49.400 --> 30:51.940]  So that was part of the threat modeling.
[30:51.940 --> 30:53.580]  And then you figure out some threats.
[30:55.580 --> 30:57.540]  And the way I like it,
[30:57.540 --> 31:01.500]  why I like the attack trees is because it's a problem solving exercise.
[31:01.760 --> 31:05.600]  And everyone in 90 has this kind of mindset of problem solving.
[31:05.600 --> 31:07.160]  We have a problem and try to solve it.
[31:07.160 --> 31:08.240]  That's how we do, right?
[31:08.240 --> 31:09.540]  That's how we operate.
[31:09.820 --> 31:13.680]  But rather than like use this to build stuff,
[31:13.680 --> 31:16.640]  now we have to change the mindset and say like,
[31:16.640 --> 31:19.180]  now rather than use your problem solve to build,
[31:19.180 --> 31:22.340]  you're going to use your problem solving skills to attack.
[31:22.380 --> 31:26.340]  That's really, really powerful to get this kind of people,
[31:26.340 --> 31:29.400]  who usually don't think about attackers or attacks at all,
[31:29.400 --> 31:30.680]  thinking about these things.
[31:30.680 --> 31:35.020]  And it's interesting to see how they can find vulnerabilities on their own design.
[31:36.020 --> 31:39.960]  And it's very interesting as well, because they are collaborating on the session.
[31:39.960 --> 31:41.640]  When you need to go back to them and say,
[31:41.640 --> 31:45.240]  hey, remember the vulnerability we found, we need to fix it.
[31:45.620 --> 31:47.000]  They already know the context.
[31:47.000 --> 31:47.940]  They were there.
[31:48.020 --> 31:51.420]  Maybe they were the ones who found out anyway.
[31:51.740 --> 31:55.100]  And they are the ones who know how to fix it easily as well.
[31:55.760 --> 31:58.000]  So it's a really interesting exercise.
[31:58.000 --> 32:03.280]  And it's really, really powerful the way we can get people who never think about attackers,
[32:03.280 --> 32:04.920]  try to think like this.
[32:04.920 --> 32:09.160]  It makes them look at their system in a very different way.
[32:09.180 --> 32:10.840]  And they only can cause good things,
[32:10.840 --> 32:14.920]  because they know how to fix the problems and make the system more secure.
[32:16.560 --> 32:17.600]  Cool.
[32:17.680 --> 32:20.680]  Now you have identified the risks and the threats.
[32:20.680 --> 32:22.900]  So now we need to mitigate those.
[32:23.800 --> 32:28.280]  And the first risk we need to mitigate is privileged access to the internal network.
[32:28.360 --> 32:30.960]  And the impact for that is high.
[32:30.960 --> 32:33.760]  If an attacker actually manages to do this,
[32:33.760 --> 32:36.280]  it can be really problematic for the Empire.
[32:36.620 --> 32:39.000]  The likelihood we put as a medium,
[32:39.000 --> 32:42.320]  because it's not very easy, you need to be inside the Death Star.
[32:42.360 --> 32:47.380]  But the Death Star and the network of the Death Star is not very secure.
[32:47.600 --> 32:53.500]  The Rebellion has been hacking the Galactic Empire for many years.
[32:53.540 --> 32:56.360]  But you are a good security professional, aren't you?
[32:56.620 --> 33:00.580]  So you come up with some measures that you can implement in the network,
[33:00.580 --> 33:03.200]  some quick wins, some testing.
[33:03.340 --> 33:07.980]  And then you harden the network and make it a lot harder for the attacker
[33:08.660 --> 33:11.520]  to get privileged access to this.
[33:11.640 --> 33:14.180]  So after this work has been done,
[33:14.180 --> 33:18.580]  you actually managed to improve the likelihood from medium to low.
[33:18.600 --> 33:20.340]  The impact is too high, though.
[33:20.340 --> 33:23.820]  It's really hard to make sure the impact is going to go down.
[33:23.820 --> 33:27.820]  But at least it's unlikely that it's going to happen.
[33:29.580 --> 33:30.980]  Next one.
[33:31.360 --> 33:33.540]  The next one is a military attack.
[33:33.980 --> 33:37.000]  And then again, the impact is really high.
[33:37.240 --> 33:40.920]  If Rebellion can pull out an attack,
[33:40.920 --> 33:42.840]  then it can destroy the Death Star.
[33:42.840 --> 33:44.960]  That's a really, really high impact.
[33:44.960 --> 33:47.280]  But the likelihood is also high.
[33:47.520 --> 33:51.720]  Why is that? Because if you are Princess Leia,
[33:51.720 --> 33:56.340]  and you get to know that your biggest adversary has such a big weapon,
[33:56.340 --> 33:59.620]  you probably want to go and try to attack them first.
[34:00.160 --> 34:03.460]  But there are a few things you can do to mitigate that risk.
[34:04.100 --> 34:08.580]  The first thing is you need to come up with ways for the crew
[34:08.580 --> 34:11.540]  to respond to attacks very easily and very efficiently.
[34:11.620 --> 34:13.980]  So you define the runbooks,
[34:13.980 --> 34:19.000]  you make sure people keep on the call,
[34:19.000 --> 34:20.220]  and keep on training,
[34:20.220 --> 34:23.060]  and make sure this exercise has been running.
[34:23.060 --> 34:25.800]  So when the actual real thing comes,
[34:25.800 --> 34:27.880]  the response works very well.
[34:28.260 --> 34:31.720]  But not only that, the Death Star is going to need some support, right?
[34:31.880 --> 34:34.640]  So that's why you get Star Destroyers.
[34:34.640 --> 34:38.980]  Star Destroyers are very big, other big ships of the Galactic Empire.
[34:39.080 --> 34:42.920]  And if they are close by when the Death Star is being attacked,
[34:42.920 --> 34:46.620]  they can provide really helpful and strong support.
[34:46.620 --> 34:52.180]  And probably less likely for Rebellion to attack the Death Star
[34:52.180 --> 34:55.680]  when they have strong support as the Star Destroyers.
[34:56.320 --> 35:00.700]  And finally, try to monitor the Rebellion activities, right?
[35:00.700 --> 35:02.940]  If they try to pull out that kind of attack,
[35:02.940 --> 35:05.300]  it's a huge movementation,
[35:05.300 --> 35:07.540]  and they need to talk to so many different people,
[35:07.540 --> 35:09.080]  and a lot of coordination.
[35:09.200 --> 35:11.920]  So if you get some sort of signal out of them,
[35:11.920 --> 35:13.660]  and then you interpret that,
[35:13.660 --> 35:17.160]  you can prepare before they actually pull out the attack.
[35:17.160 --> 35:19.840]  So you'll be a lot more prepared when they come.
[35:20.500 --> 35:25.360]  So for this, you manage to get impact from high to medium.
[35:25.360 --> 35:31.340]  Because even if the Rebellion tries to attack with a strong military attack,
[35:31.340 --> 35:33.280]  you'll be a lot more prepared,
[35:33.280 --> 35:35.460]  and maybe you can either defeat them,
[35:35.460 --> 35:39.080]  or at least buy enough time to get the Death Star out of them.
[35:39.700 --> 35:41.880]  So that's a good outcome.
[35:41.880 --> 35:43.820]  And the likelihood is also medium.
[35:43.820 --> 35:47.960]  Because if the Rebellion cannot actually destroy the Death Star,
[35:47.960 --> 35:50.320]  they'll most likely not try to attack.
[35:50.320 --> 35:52.280]  They'll only go for the victory, right?
[35:52.600 --> 35:54.560]  So if the victory is not certain,
[35:54.560 --> 35:56.700]  they'll probably not be able to do it.
[35:56.700 --> 35:59.400]  But regardless, you need to be prepared,
[35:59.400 --> 36:00.660]  and then that's what you did.
[36:00.720 --> 36:01.720]  Very well done.
[36:03.120 --> 36:07.020]  And finally, shoot at the thermal port.
[36:07.680 --> 36:10.440]  And the impact, again, is as high as the other risks.
[36:10.440 --> 36:13.660]  If somebody manages to shoot at the thermal port,
[36:13.660 --> 36:16.020]  you destroy the reactor, you destroy the Death Star.
[36:16.020 --> 36:19.340]  And the likelihood was low.
[36:19.960 --> 36:24.460]  And you didn't like how this outcome was low.
[36:24.460 --> 36:25.080]  And why is that?
[36:25.080 --> 36:27.060]  People were saying the likelihood is low
[36:27.060 --> 36:31.240]  because you need to know where the port is.
[36:31.240 --> 36:35.420]  And even if you do, it's a really difficult and hard shot, right?
[36:35.560 --> 36:37.740]  So you wanted to do a little bit more.
[36:37.740 --> 36:39.900]  You wanted to do some sort of protections,
[36:39.900 --> 36:42.780]  and maybe cause, like, if an attacker is coming,
[36:42.780 --> 36:44.240]  just close down the door,
[36:44.240 --> 36:47.420]  or open different ones, or have different levels of protection.
[36:47.460 --> 36:49.460]  You try to argue for that.
[36:49.460 --> 36:52.380]  But remember, I was talking in the beginning.
[36:52.740 --> 36:55.620]  The project was being delayed for so many years already.
[36:55.620 --> 37:01.000]  The budget has been, like, over for many years as well.
[37:01.120 --> 37:06.120]  So the business didn't want to, like, go back to the design,
[37:06.120 --> 37:08.960]  redesign the kind of ports to make sure it's more secure,
[37:08.960 --> 37:10.200]  and then implement it.
[37:10.200 --> 37:13.060]  That delayed the project for a few more years.
[37:13.060 --> 37:17.760]  And so the business decided to accept the risk.
[37:19.520 --> 37:25.180]  So, but yet, you're going to try to do something, right?
[37:25.180 --> 37:28.960]  So at least you're going to try to hide the DevStar plans.
[37:29.280 --> 37:31.200]  So if one of the things they need to do
[37:31.200 --> 37:33.340]  in order to shoot the terminal port,
[37:33.340 --> 37:34.700]  they need to know where the port is.
[37:34.700 --> 37:36.960]  So if at least you try to hide it and make it harder
[37:36.960 --> 37:40.980]  for an attacker to find out about the DevStar plan,
[37:40.980 --> 37:43.440]  sorry, about the DevStar port,
[37:44.040 --> 37:47.280]  then it wouldn't be a problem anymore, right?
[37:47.280 --> 37:49.960]  At least you would mitigate to a certain level.
[37:49.960 --> 37:52.940]  That's the only thing you could have done, so you did.
[37:53.580 --> 37:56.640]  And then you went on with your life, right?
[37:56.640 --> 37:58.480]  You did the best you could,
[37:58.480 --> 38:01.340]  then you look at different other areas of the security
[38:01.340 --> 38:04.860]  of the Galactic Empire, and you hope for the best.
[38:05.760 --> 38:08.720]  And then eventually, the DevStar has been released,
[38:08.720 --> 38:14.040]  and the DevStar has been like a cause of joy for the Empire.
[38:14.040 --> 38:17.140]  They caused lots of trouble for the Galactic Empire,
[38:17.140 --> 38:20.120]  and that happened.
[38:22.160 --> 38:24.720]  The DevStar was destroyed,
[38:24.720 --> 38:29.940]  which is not a good outcome for anyone in the Galactic Empire.
[38:30.160 --> 38:32.720]  But you're a professional, right?
[38:32.720 --> 38:34.900]  So what do you do in that situation?
[38:35.470 --> 38:36.800]  Forensic analysis.
[38:37.220 --> 38:39.440]  So you try to figure out what went wrong,
[38:39.440 --> 38:44.160]  how the Rebellion managed to destroy such an important weapon.
[38:44.660 --> 38:48.420]  And the answer is this guy, Luke Skywalker.
[38:48.780 --> 38:52.020]  He was the one who managed to shoot the Determinant port.
[38:52.240 --> 38:55.380]  But there are some interesting things about Luke Skywalker.
[38:55.720 --> 38:58.760]  The first thing is, he's a Jedi,
[38:59.420 --> 39:03.340]  which is interesting, because they were supposed to be hiding,
[39:03.340 --> 39:05.580]  not actually attacking the Empire.
[39:08.960 --> 39:13.200]  And before he actually managed to shoot the Terminal port,
[39:13.200 --> 39:15.980]  he was about to be shot down,
[39:15.980 --> 39:18.460]  but the person who actually helped Luke Skywalker
[39:18.460 --> 39:20.600]  was a bounty hunter.
[39:20.600 --> 39:24.620]  He came up at the last minute and saved Luke from being destroyed,
[39:24.620 --> 39:27.360]  and then Luke managed to shoot the Terminal port.
[39:27.360 --> 39:31.320]  Which is interesting, because bounty hunters only help...
[39:31.320 --> 39:33.640]  they only work for money, right?
[39:33.840 --> 39:36.060]  They don't organize themselves very well,
[39:36.060 --> 39:38.520]  so why a bounty hunter is helping a Jedi?
[39:40.840 --> 39:43.620]  There's another thing that's quite interesting.
[39:43.620 --> 39:47.600]  Luke Skywalker is actually Princess Leia's brother,
[39:48.260 --> 39:52.940]  which makes him a high-level ranking Rebellion official, too.
[39:52.940 --> 39:54.900]  So he's not only a Jedi,
[39:54.900 --> 39:59.980]  he's a Rebellion official.
[40:00.120 --> 40:02.860]  So, yes, interesting.
[40:02.960 --> 40:05.900]  And the worst part of it all, the worst part...
[40:07.180 --> 40:11.940]  Luke Skywalker is the son of your boss, right?
[40:11.940 --> 40:14.640]  Which makes this whole lot more complicated,
[40:14.640 --> 40:18.580]  because Luke Skywalker is considered an internal attacker now?
[40:18.580 --> 40:20.120]  You don't know.
[40:20.340 --> 40:22.580]  But definitely, like, not a problem,
[40:22.580 --> 40:26.000]  and you don't have a good feeling about it, right?
[40:26.000 --> 40:28.200]  That's a problem for your boss,
[40:28.200 --> 40:31.320]  to take care of his family and his own boss.
[40:31.780 --> 40:35.780]  But yeah, Luke Skywalker is definitely a problem,
[40:35.780 --> 40:38.860]  and he was the one who managed to pull the shot.
[40:39.080 --> 40:45.580]  But how did Luke Skywalker actually manage to find out about the port, right?
[40:46.480 --> 40:49.300]  And the answer is these two people here.
[40:49.300 --> 40:55.800]  They managed to hack the Galactic Empire and get the plans.
[40:55.900 --> 40:57.340]  And you did a good job.
[40:57.340 --> 41:02.940]  You put the Death Star plans in a very secure location,
[41:02.940 --> 41:05.580]  at least the most secure you had in the Galactic Empire.
[41:06.060 --> 41:09.320]  So these two people managed to go to this location,
[41:09.320 --> 41:11.580]  hack into the data centers,
[41:11.580 --> 41:13.320]  install the hard drive,
[41:13.320 --> 41:17.600]  and then send the copy of it to the Rebellion.
[41:18.040 --> 41:19.760]  You know what's worse?
[41:20.600 --> 41:24.640]  The worst thing about that is there was no encryption arrest!
[41:24.740 --> 41:28.420]  So they only got a copy of the hard drive and sent it to the Rebellion.
[41:28.860 --> 41:30.160]  That's not really good.
[41:31.160 --> 41:32.820]  But that's how they did it.
[41:32.820 --> 41:36.360]  So they stole the plans, they sent the plans to the Rebellion,
[41:36.360 --> 41:39.220]  the Rebellion quickly attacked the Death Star,
[41:39.220 --> 41:42.240]  and for a miracle they managed to shoot to the Terminal port,
[41:42.240 --> 41:44.420]  and everything was destroyed, right?
[41:45.700 --> 41:47.740]  Well, I wish good luck for you,
[41:47.740 --> 41:52.360]  because now you need to deliver your report for the forensic analysis to your boss.
[41:52.920 --> 41:54.120]  Good luck!
[41:55.880 --> 41:58.500]  Now let's talk a little bit about lessons learned, right?
[41:58.500 --> 42:00.100]  Lessons learned of this story.
[42:01.140 --> 42:02.940]  And the interesting thing is,
[42:02.940 --> 42:07.640]  I used this analogy where you found out about the problem of the Terminal port
[42:07.640 --> 42:09.560]  at the very end of the design,
[42:09.560 --> 42:11.980]  at the very end of the building of the software,
[42:11.980 --> 42:14.200]  at the very end, before going to production.
[42:15.080 --> 42:18.360]  And then there's a problem that happens in all companies.
[42:18.360 --> 42:21.180]  You find a security problem at the very end,
[42:21.180 --> 42:22.400]  and then you need to fix it,
[42:22.400 --> 42:25.700]  but nobody wants to fix it before release to production.
[42:26.680 --> 42:31.280]  So thread modeling is something that you should do early and often.
[42:31.420 --> 42:33.480]  So in the case of the Death Star,
[42:33.480 --> 42:36.460]  if you have done the thread modeling at the design level,
[42:36.460 --> 42:37.640]  and people are like,
[42:37.640 --> 42:41.800]  design this Death Star and come up with this design of the Terminal port,
[42:42.380 --> 42:46.360]  you could have seen it, or someone from your team,
[42:46.360 --> 42:48.740]  seen the problem, and then you fix the design.
[42:48.900 --> 42:49.800]  Right there.
[42:49.800 --> 42:52.780]  It's a lot cheaper to fix at the design level,
[42:52.780 --> 42:55.160]  or the beginning of the construction,
[42:55.160 --> 42:57.340]  or in the case of software, the beginning of the coding,
[42:57.340 --> 42:59.580]  than actually at the very end, right?
[42:59.660 --> 43:01.560]  And that's a problem that happens all the time.
[43:01.560 --> 43:05.280]  So if you want to do thread modeling, do it early and do it often.
[43:05.680 --> 43:07.180]  Because things change, right?
[43:07.180 --> 43:10.060]  Especially for software, things change all the time.
[43:10.060 --> 43:14.440]  We pivot, we implement new features, we scope certain features.
[43:14.440 --> 43:18.860]  So we need to look at that a certain amount of time.
[43:19.760 --> 43:22.660]  There are always unknowns, right?
[43:22.680 --> 43:26.080]  In this case, Luke Skywalker was a very unknown.
[43:26.080 --> 43:28.860]  He was at least three different personas, right?
[43:29.140 --> 43:31.860]  So even though you have thread modeling,
[43:31.860 --> 43:33.760]  and you have covered some of the risks,
[43:33.760 --> 43:37.160]  you always need to think about that you might have not seen something.
[43:37.160 --> 43:40.160]  Or there's some sort of information that you don't have it.
[43:40.340 --> 43:43.760]  Or the attacker can act in a very different way.
[43:44.000 --> 43:47.420]  So it's not because you haven't done thread modeling, it means you're secure.
[43:47.420 --> 43:50.460]  It means you covered some of the worst threats,
[43:50.460 --> 43:52.860]  but that doesn't mean you are very secure.
[43:52.900 --> 43:54.960]  So you still need to do some work on top of it.
[43:54.960 --> 43:56.380]  Thread modeling is just the beginning.
[43:57.720 --> 44:00.840]  And finally, thread modeling must be engaging.
[44:00.840 --> 44:05.260]  And then again, if people go to a meeting that's very boring,
[44:05.260 --> 44:07.980]  and they don't like it, and it's complicated,
[44:08.580 --> 44:11.220]  or it's on a checkbox, they don't engage.
[44:11.220 --> 44:13.040]  If they don't engage, they don't collaborate.
[44:13.040 --> 44:16.920]  If they don't collaborate, you don't have the magic of the thread modeling.
[44:16.940 --> 44:21.060]  The modeling doesn't work as well, as good as they would if people are engaging.
[44:21.060 --> 44:23.380]  So in this case, I have been using attack trees.
[44:23.380 --> 44:28.020]  I think it's been very successful where I have been done it.
[44:28.020 --> 44:30.900]  But it doesn't need to be attack trees.
[44:30.900 --> 44:33.600]  Regardless of what you do for thread modeling,
[44:33.600 --> 44:37.740]  you need to make sure the people involved are engaging,
[44:37.740 --> 44:40.220]  they are engaged, they have a good time,
[44:40.220 --> 44:42.700]  and they see value in it, so they can keep coming back
[44:42.700 --> 44:45.820]  and keep doing this exercise over and over again.
[44:47.500 --> 44:50.120]  Cool. That's all I have to talk about today.
[44:50.120 --> 44:53.320]  Thank you very much. May the force be with you.
